diff options
author | deshevoy <deshevoy@yandex-team.ru> | 2022-02-10 16:46:56 +0300 |
---|---|---|
committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:46:56 +0300 |
commit | e988f30484abe5fdeedcc7a5d3c226c01a21800c (patch) | |
tree | 0a217b173aabb57b7e51f8a169989b1a3e0309fe /contrib/libs/openssl/ssl/s3_enc.c | |
parent | 33ee501c05d3f24036ae89766a858930ae66c548 (diff) | |
download | ydb-e988f30484abe5fdeedcc7a5d3c226c01a21800c.tar.gz |
Restoring authorship annotation for <deshevoy@yandex-team.ru>. Commit 1 of 2.
Diffstat (limited to 'contrib/libs/openssl/ssl/s3_enc.c')
-rw-r--r-- | contrib/libs/openssl/ssl/s3_enc.c | 1188 |
1 files changed, 594 insertions, 594 deletions
diff --git a/contrib/libs/openssl/ssl/s3_enc.c b/contrib/libs/openssl/ssl/s3_enc.c index 8a89f512fe..ab86328638 100644 --- a/contrib/libs/openssl/ssl/s3_enc.c +++ b/contrib/libs/openssl/ssl/s3_enc.c @@ -1,595 +1,595 @@ -/* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * Copyright 2005 Nokia. All rights reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> +/* + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> #include "ssl_local.h" -#include <openssl/evp.h> -#include <openssl/md5.h> -#include "internal/cryptlib.h" - -static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) -{ - EVP_MD_CTX *m5; - EVP_MD_CTX *s1; - unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; - unsigned char c = 'A'; - unsigned int i, j, k; - int ret = 0; - -#ifdef CHARSET_EBCDIC - c = os_toascii[c]; /* 'A' in ASCII */ -#endif - k = 0; - m5 = EVP_MD_CTX_new(); - s1 = EVP_MD_CTX_new(); - if (m5 == NULL || s1 == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, - ERR_R_MALLOC_FAILURE); - goto err; - } - EVP_MD_CTX_set_flags(m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { - k++; - if (k > sizeof(buf)) { - /* bug: 'buf' is too small for this ciphersuite */ - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, - ERR_R_INTERNAL_ERROR); - goto err; - } - - for (j = 0; j < k; j++) - buf[j] = c; - c++; - if (!EVP_DigestInit_ex(s1, EVP_sha1(), NULL) - || !EVP_DigestUpdate(s1, buf, k) - || !EVP_DigestUpdate(s1, s->session->master_key, - s->session->master_key_length) - || !EVP_DigestUpdate(s1, s->s3->server_random, SSL3_RANDOM_SIZE) - || !EVP_DigestUpdate(s1, s->s3->client_random, SSL3_RANDOM_SIZE) - || !EVP_DigestFinal_ex(s1, smd, NULL) - || !EVP_DigestInit_ex(m5, EVP_md5(), NULL) - || !EVP_DigestUpdate(m5, s->session->master_key, - s->session->master_key_length) - || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, - ERR_R_INTERNAL_ERROR); - goto err; - } - if ((int)(i + MD5_DIGEST_LENGTH) > num) { - if (!EVP_DigestFinal_ex(m5, smd, NULL)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); - goto err; - } - memcpy(km, smd, (num - i)); - } else { - if (!EVP_DigestFinal_ex(m5, km, NULL)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); - goto err; - } - } - - km += MD5_DIGEST_LENGTH; - } - OPENSSL_cleanse(smd, sizeof(smd)); - ret = 1; - err: - EVP_MD_CTX_free(m5); - EVP_MD_CTX_free(s1); - return ret; -} - -int ssl3_change_cipher_state(SSL *s, int which) -{ - unsigned char *p, *mac_secret; - unsigned char *ms, *key, *iv; - EVP_CIPHER_CTX *dd; - const EVP_CIPHER *c; -#ifndef OPENSSL_NO_COMP - COMP_METHOD *comp; -#endif - const EVP_MD *m; - int mdi; - size_t n, i, j, k, cl; - int reuse_dd = 0; - - c = s->s3->tmp.new_sym_enc; - m = s->s3->tmp.new_hash; - /* m == NULL will lead to a crash later */ - if (!ossl_assert(m != NULL)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_INTERNAL_ERROR); - goto err; - } -#ifndef OPENSSL_NO_COMP - if (s->s3->tmp.new_compression == NULL) - comp = NULL; - else - comp = s->s3->tmp.new_compression->method; -#endif - - if (which & SSL3_CC_READ) { - if (s->enc_read_ctx != NULL) { - reuse_dd = 1; - } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_MALLOC_FAILURE); - goto err; - } else { - /* - * make sure it's initialised in case we exit later with an error - */ - EVP_CIPHER_CTX_reset(s->enc_read_ctx); - } - dd = s->enc_read_ctx; - - if (ssl_replace_hash(&s->read_hash, m) == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_INTERNAL_ERROR); - goto err; - } -#ifndef OPENSSL_NO_COMP - /* COMPRESS */ - COMP_CTX_free(s->expand); - s->expand = NULL; - if (comp != NULL) { - s->expand = COMP_CTX_new(comp); - if (s->expand == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_SSL3_CHANGE_CIPHER_STATE, - SSL_R_COMPRESSION_LIBRARY_ERROR); - goto err; - } - } -#endif - RECORD_LAYER_reset_read_sequence(&s->rlayer); - mac_secret = &(s->s3->read_mac_secret[0]); - } else { - s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; - if (s->enc_write_ctx != NULL) { - reuse_dd = 1; - } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_MALLOC_FAILURE); - goto err; - } else { - /* - * make sure it's initialised in case we exit later with an error - */ - EVP_CIPHER_CTX_reset(s->enc_write_ctx); - } - dd = s->enc_write_ctx; - if (ssl_replace_hash(&s->write_hash, m) == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_MALLOC_FAILURE); - goto err; - } -#ifndef OPENSSL_NO_COMP - /* COMPRESS */ - COMP_CTX_free(s->compress); - s->compress = NULL; - if (comp != NULL) { - s->compress = COMP_CTX_new(comp); - if (s->compress == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_SSL3_CHANGE_CIPHER_STATE, - SSL_R_COMPRESSION_LIBRARY_ERROR); - goto err; - } - } -#endif - RECORD_LAYER_reset_write_sequence(&s->rlayer); - mac_secret = &(s->s3->write_mac_secret[0]); - } - - if (reuse_dd) - EVP_CIPHER_CTX_reset(dd); - - p = s->s3->tmp.key_block; - mdi = EVP_MD_size(m); - if (mdi < 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_INTERNAL_ERROR); - goto err; - } - i = mdi; - cl = EVP_CIPHER_key_length(c); - j = cl; - k = EVP_CIPHER_iv_length(c); - if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || - (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { - ms = &(p[0]); - n = i + i; - key = &(p[n]); - n += j + j; - iv = &(p[n]); - n += k + k; - } else { - n = i; - ms = &(p[n]); - n += i + j; - key = &(p[n]); - n += j + k; - iv = &(p[n]); - n += k; - } - - if (n > s->s3->tmp.key_block_length) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - memcpy(mac_secret, ms, i); - - if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - s->statem.enc_write_state = ENC_WRITE_STATE_VALID; - return 1; - err: - return 0; -} - -int ssl3_setup_key_block(SSL *s) -{ - unsigned char *p; - const EVP_CIPHER *c; - const EVP_MD *hash; - int num; - int ret = 0; - SSL_COMP *comp; - - if (s->s3->tmp.key_block_length != 0) - return 1; - - if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, - SSL_R_CIPHER_OR_HASH_UNAVAILABLE); - return 0; - } - - s->s3->tmp.new_sym_enc = c; - s->s3->tmp.new_hash = hash; -#ifdef OPENSSL_NO_COMP - s->s3->tmp.new_compression = NULL; -#else - s->s3->tmp.new_compression = comp; -#endif - - num = EVP_MD_size(hash); - if (num < 0) - return 0; - - num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); - num *= 2; - - ssl3_cleanup_key_block(s); - - if ((p = OPENSSL_malloc(num)) == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, - ERR_R_MALLOC_FAILURE); - return 0; - } - - s->s3->tmp.key_block_length = num; - s->s3->tmp.key_block = p; - - /* Calls SSLfatal() as required */ - ret = ssl3_generate_key_block(s, p, num); - - if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { - /* - * enable vulnerability countermeasure for CBC ciphers with known-IV - * problem (http://www.openssl.org/~bodo/tls-cbc.txt) - */ - s->s3->need_empty_fragments = 1; - - if (s->session->cipher != NULL) { - if (s->session->cipher->algorithm_enc == SSL_eNULL) - s->s3->need_empty_fragments = 0; - -#ifndef OPENSSL_NO_RC4 - if (s->session->cipher->algorithm_enc == SSL_RC4) - s->s3->need_empty_fragments = 0; -#endif - } - } - - return ret; -} - -void ssl3_cleanup_key_block(SSL *s) -{ - OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length); - s->s3->tmp.key_block = NULL; - s->s3->tmp.key_block_length = 0; -} - -int ssl3_init_finished_mac(SSL *s) -{ - BIO *buf = BIO_new(BIO_s_mem()); - - if (buf == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_INIT_FINISHED_MAC, - ERR_R_MALLOC_FAILURE); - return 0; - } - ssl3_free_digest_list(s); - s->s3->handshake_buffer = buf; - (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); - return 1; -} - -/* - * Free digest list. Also frees handshake buffer since they are always freed - * together. - */ - -void ssl3_free_digest_list(SSL *s) -{ - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - EVP_MD_CTX_free(s->s3->handshake_dgst); - s->s3->handshake_dgst = NULL; -} - -int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len) -{ - int ret; - - if (s->s3->handshake_dgst == NULL) { - /* Note: this writes to a memory BIO so a failure is a fatal error */ - if (len > INT_MAX) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, - SSL_R_OVERFLOW_ERROR); - return 0; - } - ret = BIO_write(s->s3->handshake_buffer, (void *)buf, (int)len); - if (ret <= 0 || ret != (int)len) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, - ERR_R_INTERNAL_ERROR); - return 0; - } - } else { - ret = EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); - if (!ret) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, - ERR_R_INTERNAL_ERROR); - return 0; - } - } - return 1; -} - -int ssl3_digest_cached_records(SSL *s, int keep) -{ - const EVP_MD *md; - long hdatalen; - void *hdata; - - if (s->s3->handshake_dgst == NULL) { - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, - SSL_R_BAD_HANDSHAKE_LENGTH); - return 0; - } - - s->s3->handshake_dgst = EVP_MD_CTX_new(); - if (s->s3->handshake_dgst == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, - ERR_R_MALLOC_FAILURE); - return 0; - } - - md = ssl_handshake_md(s); - if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL) - || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, - ERR_R_INTERNAL_ERROR); - return 0; - } - } - if (keep == 0) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - } - - return 1; -} - -size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, - unsigned char *p) -{ - int ret; - EVP_MD_CTX *ctx = NULL; - - if (!ssl3_digest_cached_records(s, 0)) { - /* SSLfatal() already called */ - return 0; - } - - if (EVP_MD_CTX_type(s->s3->handshake_dgst) != NID_md5_sha1) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, - SSL_R_NO_REQUIRED_DIGEST); - return 0; - } - - ctx = EVP_MD_CTX_new(); - if (ctx == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, - ERR_R_MALLOC_FAILURE); - return 0; - } - if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, - ERR_R_INTERNAL_ERROR); - ret = 0; - goto err; - } - - ret = EVP_MD_CTX_size(ctx); - if (ret < 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, - ERR_R_INTERNAL_ERROR); - ret = 0; - goto err; - } - - if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) - || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key) <= 0 - || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, - ERR_R_INTERNAL_ERROR); - ret = 0; - } - - err: - EVP_MD_CTX_free(ctx); - - return ret; -} - -int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, - size_t len, size_t *secret_size) -{ - static const unsigned char *salt[3] = { -#ifndef CHARSET_EBCDIC - (const unsigned char *)"A", - (const unsigned char *)"BB", - (const unsigned char *)"CCC", -#else - (const unsigned char *)"\x41", - (const unsigned char *)"\x42\x42", - (const unsigned char *)"\x43\x43\x43", -#endif - }; - unsigned char buf[EVP_MAX_MD_SIZE]; - EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - int i, ret = 1; - unsigned int n; - size_t ret_secret_size = 0; - - if (ctx == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_MASTER_SECRET, - ERR_R_MALLOC_FAILURE); - return 0; - } - for (i = 0; i < 3; i++) { - if (EVP_DigestInit_ex(ctx, s->ctx->sha1, NULL) <= 0 - || EVP_DigestUpdate(ctx, salt[i], - strlen((const char *)salt[i])) <= 0 - || EVP_DigestUpdate(ctx, p, len) <= 0 - || EVP_DigestUpdate(ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - /* TODO(size_t) : convert me */ - || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 - || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0 - || EVP_DigestUpdate(ctx, p, len) <= 0 - || EVP_DigestUpdate(ctx, buf, n) <= 0 - || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); - ret = 0; - break; - } - out += n; - ret_secret_size += n; - } - EVP_MD_CTX_free(ctx); - - OPENSSL_cleanse(buf, sizeof(buf)); - if (ret) - *secret_size = ret_secret_size; - return ret; -} - -int ssl3_alert_code(int code) -{ - switch (code) { - case SSL_AD_CLOSE_NOTIFY: - return SSL3_AD_CLOSE_NOTIFY; - case SSL_AD_UNEXPECTED_MESSAGE: - return SSL3_AD_UNEXPECTED_MESSAGE; - case SSL_AD_BAD_RECORD_MAC: - return SSL3_AD_BAD_RECORD_MAC; - case SSL_AD_DECRYPTION_FAILED: - return SSL3_AD_BAD_RECORD_MAC; - case SSL_AD_RECORD_OVERFLOW: - return SSL3_AD_BAD_RECORD_MAC; - case SSL_AD_DECOMPRESSION_FAILURE: - return SSL3_AD_DECOMPRESSION_FAILURE; - case SSL_AD_HANDSHAKE_FAILURE: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_NO_CERTIFICATE: - return SSL3_AD_NO_CERTIFICATE; - case SSL_AD_BAD_CERTIFICATE: - return SSL3_AD_BAD_CERTIFICATE; - case SSL_AD_UNSUPPORTED_CERTIFICATE: - return SSL3_AD_UNSUPPORTED_CERTIFICATE; - case SSL_AD_CERTIFICATE_REVOKED: - return SSL3_AD_CERTIFICATE_REVOKED; - case SSL_AD_CERTIFICATE_EXPIRED: - return SSL3_AD_CERTIFICATE_EXPIRED; - case SSL_AD_CERTIFICATE_UNKNOWN: - return SSL3_AD_CERTIFICATE_UNKNOWN; - case SSL_AD_ILLEGAL_PARAMETER: - return SSL3_AD_ILLEGAL_PARAMETER; - case SSL_AD_UNKNOWN_CA: - return SSL3_AD_BAD_CERTIFICATE; - case SSL_AD_ACCESS_DENIED: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_DECODE_ERROR: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_DECRYPT_ERROR: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_EXPORT_RESTRICTION: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_PROTOCOL_VERSION: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_INSUFFICIENT_SECURITY: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_INTERNAL_ERROR: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_USER_CANCELLED: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_NO_RENEGOTIATION: - return -1; /* Don't send it :-) */ - case SSL_AD_UNSUPPORTED_EXTENSION: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_CERTIFICATE_UNOBTAINABLE: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_UNRECOGNIZED_NAME: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: - return SSL3_AD_HANDSHAKE_FAILURE; - case SSL_AD_UNKNOWN_PSK_IDENTITY: - return TLS1_AD_UNKNOWN_PSK_IDENTITY; - case SSL_AD_INAPPROPRIATE_FALLBACK: - return TLS1_AD_INAPPROPRIATE_FALLBACK; - case SSL_AD_NO_APPLICATION_PROTOCOL: - return TLS1_AD_NO_APPLICATION_PROTOCOL; - case SSL_AD_CERTIFICATE_REQUIRED: - return SSL_AD_HANDSHAKE_FAILURE; - default: - return -1; - } -} +#include <openssl/evp.h> +#include <openssl/md5.h> +#include "internal/cryptlib.h" + +static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) +{ + EVP_MD_CTX *m5; + EVP_MD_CTX *s1; + unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; + unsigned char c = 'A'; + unsigned int i, j, k; + int ret = 0; + +#ifdef CHARSET_EBCDIC + c = os_toascii[c]; /* 'A' in ASCII */ +#endif + k = 0; + m5 = EVP_MD_CTX_new(); + s1 = EVP_MD_CTX_new(); + if (m5 == NULL || s1 == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, + ERR_R_MALLOC_FAILURE); + goto err; + } + EVP_MD_CTX_set_flags(m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { + k++; + if (k > sizeof(buf)) { + /* bug: 'buf' is too small for this ciphersuite */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, + ERR_R_INTERNAL_ERROR); + goto err; + } + + for (j = 0; j < k; j++) + buf[j] = c; + c++; + if (!EVP_DigestInit_ex(s1, EVP_sha1(), NULL) + || !EVP_DigestUpdate(s1, buf, k) + || !EVP_DigestUpdate(s1, s->session->master_key, + s->session->master_key_length) + || !EVP_DigestUpdate(s1, s->s3->server_random, SSL3_RANDOM_SIZE) + || !EVP_DigestUpdate(s1, s->s3->client_random, SSL3_RANDOM_SIZE) + || !EVP_DigestFinal_ex(s1, smd, NULL) + || !EVP_DigestInit_ex(m5, EVP_md5(), NULL) + || !EVP_DigestUpdate(m5, s->session->master_key, + s->session->master_key_length) + || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, + ERR_R_INTERNAL_ERROR); + goto err; + } + if ((int)(i + MD5_DIGEST_LENGTH) > num) { + if (!EVP_DigestFinal_ex(m5, smd, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); + goto err; + } + memcpy(km, smd, (num - i)); + } else { + if (!EVP_DigestFinal_ex(m5, km, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); + goto err; + } + } + + km += MD5_DIGEST_LENGTH; + } + OPENSSL_cleanse(smd, sizeof(smd)); + ret = 1; + err: + EVP_MD_CTX_free(m5); + EVP_MD_CTX_free(s1); + return ret; +} + +int ssl3_change_cipher_state(SSL *s, int which) +{ + unsigned char *p, *mac_secret; + unsigned char *ms, *key, *iv; + EVP_CIPHER_CTX *dd; + const EVP_CIPHER *c; +#ifndef OPENSSL_NO_COMP + COMP_METHOD *comp; +#endif + const EVP_MD *m; + int mdi; + size_t n, i, j, k, cl; + int reuse_dd = 0; + + c = s->s3->tmp.new_sym_enc; + m = s->s3->tmp.new_hash; + /* m == NULL will lead to a crash later */ + if (!ossl_assert(m != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } +#ifndef OPENSSL_NO_COMP + if (s->s3->tmp.new_compression == NULL) + comp = NULL; + else + comp = s->s3->tmp.new_compression->method; +#endif + + if (which & SSL3_CC_READ) { + if (s->enc_read_ctx != NULL) { + reuse_dd = 1; + } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); + goto err; + } else { + /* + * make sure it's initialised in case we exit later with an error + */ + EVP_CIPHER_CTX_reset(s->enc_read_ctx); + } + dd = s->enc_read_ctx; + + if (ssl_replace_hash(&s->read_hash, m) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } +#ifndef OPENSSL_NO_COMP + /* COMPRESS */ + COMP_CTX_free(s->expand); + s->expand = NULL; + if (comp != NULL) { + s->expand = COMP_CTX_new(comp); + if (s->expand == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_CHANGE_CIPHER_STATE, + SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err; + } + } +#endif + RECORD_LAYER_reset_read_sequence(&s->rlayer); + mac_secret = &(s->s3->read_mac_secret[0]); + } else { + s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; + if (s->enc_write_ctx != NULL) { + reuse_dd = 1; + } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); + goto err; + } else { + /* + * make sure it's initialised in case we exit later with an error + */ + EVP_CIPHER_CTX_reset(s->enc_write_ctx); + } + dd = s->enc_write_ctx; + if (ssl_replace_hash(&s->write_hash, m) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); + goto err; + } +#ifndef OPENSSL_NO_COMP + /* COMPRESS */ + COMP_CTX_free(s->compress); + s->compress = NULL; + if (comp != NULL) { + s->compress = COMP_CTX_new(comp); + if (s->compress == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_CHANGE_CIPHER_STATE, + SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err; + } + } +#endif + RECORD_LAYER_reset_write_sequence(&s->rlayer); + mac_secret = &(s->s3->write_mac_secret[0]); + } + + if (reuse_dd) + EVP_CIPHER_CTX_reset(dd); + + p = s->s3->tmp.key_block; + mdi = EVP_MD_size(m); + if (mdi < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } + i = mdi; + cl = EVP_CIPHER_key_length(c); + j = cl; + k = EVP_CIPHER_iv_length(c); + if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || + (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { + ms = &(p[0]); + n = i + i; + key = &(p[n]); + n += j + j; + iv = &(p[n]); + n += k + k; + } else { + n = i; + ms = &(p[n]); + n += i + j; + key = &(p[n]); + n += j + k; + iv = &(p[n]); + n += k; + } + + if (n > s->s3->tmp.key_block_length) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + memcpy(mac_secret, ms, i); + + if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; + return 1; + err: + return 0; +} + +int ssl3_setup_key_block(SSL *s) +{ + unsigned char *p; + const EVP_CIPHER *c; + const EVP_MD *hash; + int num; + int ret = 0; + SSL_COMP *comp; + + if (s->s3->tmp.key_block_length != 0) + return 1; + + if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, + SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + return 0; + } + + s->s3->tmp.new_sym_enc = c; + s->s3->tmp.new_hash = hash; +#ifdef OPENSSL_NO_COMP + s->s3->tmp.new_compression = NULL; +#else + s->s3->tmp.new_compression = comp; +#endif + + num = EVP_MD_size(hash); + if (num < 0) + return 0; + + num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); + num *= 2; + + ssl3_cleanup_key_block(s); + + if ((p = OPENSSL_malloc(num)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, + ERR_R_MALLOC_FAILURE); + return 0; + } + + s->s3->tmp.key_block_length = num; + s->s3->tmp.key_block = p; + + /* Calls SSLfatal() as required */ + ret = ssl3_generate_key_block(s, p, num); + + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { + /* + * enable vulnerability countermeasure for CBC ciphers with known-IV + * problem (http://www.openssl.org/~bodo/tls-cbc.txt) + */ + s->s3->need_empty_fragments = 1; + + if (s->session->cipher != NULL) { + if (s->session->cipher->algorithm_enc == SSL_eNULL) + s->s3->need_empty_fragments = 0; + +#ifndef OPENSSL_NO_RC4 + if (s->session->cipher->algorithm_enc == SSL_RC4) + s->s3->need_empty_fragments = 0; +#endif + } + } + + return ret; +} + +void ssl3_cleanup_key_block(SSL *s) +{ + OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length); + s->s3->tmp.key_block = NULL; + s->s3->tmp.key_block_length = 0; +} + +int ssl3_init_finished_mac(SSL *s) +{ + BIO *buf = BIO_new(BIO_s_mem()); + + if (buf == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_INIT_FINISHED_MAC, + ERR_R_MALLOC_FAILURE); + return 0; + } + ssl3_free_digest_list(s); + s->s3->handshake_buffer = buf; + (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); + return 1; +} + +/* + * Free digest list. Also frees handshake buffer since they are always freed + * together. + */ + +void ssl3_free_digest_list(SSL *s) +{ + BIO_free(s->s3->handshake_buffer); + s->s3->handshake_buffer = NULL; + EVP_MD_CTX_free(s->s3->handshake_dgst); + s->s3->handshake_dgst = NULL; +} + +int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len) +{ + int ret; + + if (s->s3->handshake_dgst == NULL) { + /* Note: this writes to a memory BIO so a failure is a fatal error */ + if (len > INT_MAX) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, + SSL_R_OVERFLOW_ERROR); + return 0; + } + ret = BIO_write(s->s3->handshake_buffer, (void *)buf, (int)len); + if (ret <= 0 || ret != (int)len) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + return 0; + } + } else { + ret = EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); + if (!ret) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + return 1; +} + +int ssl3_digest_cached_records(SSL *s, int keep) +{ + const EVP_MD *md; + long hdatalen; + void *hdata; + + if (s->s3->handshake_dgst == NULL) { + hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + if (hdatalen <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, + SSL_R_BAD_HANDSHAKE_LENGTH); + return 0; + } + + s->s3->handshake_dgst = EVP_MD_CTX_new(); + if (s->s3->handshake_dgst == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, + ERR_R_MALLOC_FAILURE); + return 0; + } + + md = ssl_handshake_md(s); + if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL) + || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + if (keep == 0) { + BIO_free(s->s3->handshake_buffer); + s->s3->handshake_buffer = NULL; + } + + return 1; +} + +size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, + unsigned char *p) +{ + int ret; + EVP_MD_CTX *ctx = NULL; + + if (!ssl3_digest_cached_records(s, 0)) { + /* SSLfatal() already called */ + return 0; + } + + if (EVP_MD_CTX_type(s->s3->handshake_dgst) != NID_md5_sha1) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + SSL_R_NO_REQUIRED_DIGEST); + return 0; + } + + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_MALLOC_FAILURE); + return 0; + } + if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + ret = 0; + goto err; + } + + ret = EVP_MD_CTX_size(ctx); + if (ret < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + ret = 0; + goto err; + } + + if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) + || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key) <= 0 + || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + ret = 0; + } + + err: + EVP_MD_CTX_free(ctx); + + return ret; +} + +int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, + size_t len, size_t *secret_size) +{ + static const unsigned char *salt[3] = { +#ifndef CHARSET_EBCDIC + (const unsigned char *)"A", + (const unsigned char *)"BB", + (const unsigned char *)"CCC", +#else + (const unsigned char *)"\x41", + (const unsigned char *)"\x42\x42", + (const unsigned char *)"\x43\x43\x43", +#endif + }; + unsigned char buf[EVP_MAX_MD_SIZE]; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + int i, ret = 1; + unsigned int n; + size_t ret_secret_size = 0; + + if (ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_MASTER_SECRET, + ERR_R_MALLOC_FAILURE); + return 0; + } + for (i = 0; i < 3; i++) { + if (EVP_DigestInit_ex(ctx, s->ctx->sha1, NULL) <= 0 + || EVP_DigestUpdate(ctx, salt[i], + strlen((const char *)salt[i])) <= 0 + || EVP_DigestUpdate(ctx, p, len) <= 0 + || EVP_DigestUpdate(ctx, &(s->s3->client_random[0]), + SSL3_RANDOM_SIZE) <= 0 + || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]), + SSL3_RANDOM_SIZE) <= 0 + /* TODO(size_t) : convert me */ + || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 + || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0 + || EVP_DigestUpdate(ctx, p, len) <= 0 + || EVP_DigestUpdate(ctx, buf, n) <= 0 + || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); + ret = 0; + break; + } + out += n; + ret_secret_size += n; + } + EVP_MD_CTX_free(ctx); + + OPENSSL_cleanse(buf, sizeof(buf)); + if (ret) + *secret_size = ret_secret_size; + return ret; +} + +int ssl3_alert_code(int code) +{ + switch (code) { + case SSL_AD_CLOSE_NOTIFY: + return SSL3_AD_CLOSE_NOTIFY; + case SSL_AD_UNEXPECTED_MESSAGE: + return SSL3_AD_UNEXPECTED_MESSAGE; + case SSL_AD_BAD_RECORD_MAC: + return SSL3_AD_BAD_RECORD_MAC; + case SSL_AD_DECRYPTION_FAILED: + return SSL3_AD_BAD_RECORD_MAC; + case SSL_AD_RECORD_OVERFLOW: + return SSL3_AD_BAD_RECORD_MAC; + case SSL_AD_DECOMPRESSION_FAILURE: + return SSL3_AD_DECOMPRESSION_FAILURE; + case SSL_AD_HANDSHAKE_FAILURE: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_NO_CERTIFICATE: + return SSL3_AD_NO_CERTIFICATE; + case SSL_AD_BAD_CERTIFICATE: + return SSL3_AD_BAD_CERTIFICATE; + case SSL_AD_UNSUPPORTED_CERTIFICATE: + return SSL3_AD_UNSUPPORTED_CERTIFICATE; + case SSL_AD_CERTIFICATE_REVOKED: + return SSL3_AD_CERTIFICATE_REVOKED; + case SSL_AD_CERTIFICATE_EXPIRED: + return SSL3_AD_CERTIFICATE_EXPIRED; + case SSL_AD_CERTIFICATE_UNKNOWN: + return SSL3_AD_CERTIFICATE_UNKNOWN; + case SSL_AD_ILLEGAL_PARAMETER: + return SSL3_AD_ILLEGAL_PARAMETER; + case SSL_AD_UNKNOWN_CA: + return SSL3_AD_BAD_CERTIFICATE; + case SSL_AD_ACCESS_DENIED: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_DECODE_ERROR: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_DECRYPT_ERROR: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_EXPORT_RESTRICTION: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_PROTOCOL_VERSION: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_INSUFFICIENT_SECURITY: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_INTERNAL_ERROR: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_USER_CANCELLED: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_NO_RENEGOTIATION: + return -1; /* Don't send it :-) */ + case SSL_AD_UNSUPPORTED_EXTENSION: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_CERTIFICATE_UNOBTAINABLE: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_UNRECOGNIZED_NAME: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: + return SSL3_AD_HANDSHAKE_FAILURE; + case SSL_AD_UNKNOWN_PSK_IDENTITY: + return TLS1_AD_UNKNOWN_PSK_IDENTITY; + case SSL_AD_INAPPROPRIATE_FALLBACK: + return TLS1_AD_INAPPROPRIATE_FALLBACK; + case SSL_AD_NO_APPLICATION_PROTOCOL: + return TLS1_AD_NO_APPLICATION_PROTOCOL; + case SSL_AD_CERTIFICATE_REQUIRED: + return SSL_AD_HANDSHAKE_FAILURE; + default: + return -1; + } +} |